--- /dev/null
+From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream.
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1247,6 +1247,7 @@ static void snd_timer_user_ccallback(str
+ tu->tstamp = *tstamp;
+ if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ return;
++ memset(&r1, 0, sizeof(r1));
+ r1.event = event;
+ r1.tstamp = *tstamp;
+ r1.val = resolution;
--- /dev/null
+From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream.
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1282,6 +1282,7 @@ static void snd_timer_user_tinterrupt(st
+ }
+ if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ tu->last_resolution != resolution) {
++ memset(&r1, 0, sizeof(r1));
+ r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ r1.tstamp = tstamp;
+ r1.val = resolution;
--- /dev/null
+From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream.
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1746,6 +1746,7 @@ static int snd_timer_user_params(struct
+ if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ if (tu->tread) {
+ struct snd_timer_tread tread;
++ memset(&tread, 0, sizeof(tread));
+ tread.event = SNDRV_TIMER_EVENT_EARLY;
+ tread.tstamp.tv_sec = 0;
+ tread.tstamp.tv_nsec = 0;
--- /dev/null
+From 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 26 May 2016 15:42:13 -0400
+Subject: cgroup: set css->id to -1 during init
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 8fa3b8d689a54d6d04ff7803c724fb7aca6ce98e upstream.
+
+If percpu_ref initialization fails during css_create(), the free path
+can end up trying to free css->id of zero. As ID 0 is unused, it
+doesn't cause a critical breakage but it does trigger a warning
+message. Fix it by setting css->id to -1 from init_and_link_css().
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: Wenwei Tao <ww.tao0320@gmail.com>
+Fixes: 01e586598b22 ("cgroup: release css->id after css_free")
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -4793,6 +4793,7 @@ static void init_and_link_css(struct cgr
+ memset(css, 0, sizeof(*css));
+ css->cgroup = cgrp;
+ css->ss = ss;
++ css->id = -1;
+ INIT_LIST_HEAD(&css->sibling);
+ INIT_LIST_HEAD(&css->children);
+ css->serial_nr = css_serial_nr_next++;
--- /dev/null
+From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 5 Jul 2016 17:32:30 -0400
+Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream.
+
+There are legitimate reasons to disallow mmap on certain files, notably
+in sysfs or procfs. We shouldn't emulate mmap support on file systems
+that don't offer support natively.
+
+CVE-2016-1583
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/file.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -170,6 +170,19 @@ out:
+ return rc;
+ }
+
++static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
++{
++ struct file *lower_file = ecryptfs_file_to_lower(file);
++ /*
++ * Don't allow mmap on top of file systems that don't support it
++ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
++ * allows recursive mounting, this will need to be extended.
++ */
++ if (!lower_file->f_op->mmap)
++ return -ENODEV;
++ return generic_file_mmap(file, vma);
++}
++
+ /**
+ * ecryptfs_open
+ * @inode: inode speciying file to open
+@@ -364,7 +377,7 @@ const struct file_operations ecryptfs_ma
+ #ifdef CONFIG_COMPAT
+ .compat_ioctl = ecryptfs_compat_ioctl,
+ #endif
+- .mmap = generic_file_mmap,
++ .mmap = ecryptfs_mmap,
+ .open = ecryptfs_open,
+ .flush = ecryptfs_flush,
+ .release = ecryptfs_release,
--- /dev/null
+From 226ba707744a51acb4244724e09caacb1d96aed9 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 21 Jun 2016 16:09:00 -0700
+Subject: Input: elantech - add more IC body types to the list
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 226ba707744a51acb4244724e09caacb1d96aed9 upstream.
+
+The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and
+according to Elan both 11 and 12 are valid IC types and should be
+identified as hw_version 4.
+
+Reported-by: Patrick Lessard <Patrick.Lessard@cogeco.com>
+Tested-by: Patrick Lessard <Patrick.Lessard@cogeco.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1568,13 +1568,7 @@ static int elantech_set_properties(struc
+ case 5:
+ etd->hw_version = 3;
+ break;
+- case 6:
+- case 7:
+- case 8:
+- case 9:
+- case 10:
+- case 13:
+- case 14:
++ case 6 ... 14:
+ etd->hw_version = 4;
+ break;
+ default:
--- /dev/null
+From e9003c9cfaa17d26991688268b04244adb67ee2b Mon Sep 17 00:00:00 2001
+From: Michael Welling <mwelling@ieee.org>
+Date: Wed, 20 Jul 2016 10:02:07 -0700
+Subject: Input: tsc200x - report proper input_dev name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Welling <mwelling@ieee.org>
+
+commit e9003c9cfaa17d26991688268b04244adb67ee2b upstream.
+
+Passes input_id struct to the common probe function for the tsc200x drivers
+instead of just the bustype.
+
+This allows for the use of the product variable to set the input_dev->name
+variable according to the type of touchscreen used. Note that when we
+introduced support for TSC2004 we started calling everything TSC200X, so
+let's keep this quirk.
+
+Signed-off-by: Michael Welling <mwelling@ieee.org>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/tsc2004.c | 7 ++++++-
+ drivers/input/touchscreen/tsc2005.c | 7 ++++++-
+ drivers/input/touchscreen/tsc200x-core.c | 15 ++++++++++++---
+ drivers/input/touchscreen/tsc200x-core.h | 2 +-
+ 4 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/touchscreen/tsc2004.c
++++ b/drivers/input/touchscreen/tsc2004.c
+@@ -22,6 +22,11 @@
+ #include <linux/regmap.h>
+ #include "tsc200x-core.h"
+
++static const struct input_id tsc2004_input_id = {
++ .bustype = BUS_I2C,
++ .product = 2004,
++};
++
+ static int tsc2004_cmd(struct device *dev, u8 cmd)
+ {
+ u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd;
+@@ -42,7 +47,7 @@ static int tsc2004_probe(struct i2c_clie
+ const struct i2c_device_id *id)
+
+ {
+- return tsc200x_probe(&i2c->dev, i2c->irq, BUS_I2C,
++ return tsc200x_probe(&i2c->dev, i2c->irq, &tsc2004_input_id,
+ devm_regmap_init_i2c(i2c, &tsc200x_regmap_config),
+ tsc2004_cmd);
+ }
+--- a/drivers/input/touchscreen/tsc2005.c
++++ b/drivers/input/touchscreen/tsc2005.c
+@@ -24,6 +24,11 @@
+ #include <linux/regmap.h>
+ #include "tsc200x-core.h"
+
++static const struct input_id tsc2005_input_id = {
++ .bustype = BUS_SPI,
++ .product = 2005,
++};
++
+ static int tsc2005_cmd(struct device *dev, u8 cmd)
+ {
+ u8 tx = TSC200X_CMD | TSC200X_CMD_12BIT | cmd;
+@@ -62,7 +67,7 @@ static int tsc2005_probe(struct spi_devi
+ if (error)
+ return error;
+
+- return tsc200x_probe(&spi->dev, spi->irq, BUS_SPI,
++ return tsc200x_probe(&spi->dev, spi->irq, &tsc2005_input_id,
+ devm_regmap_init_spi(spi, &tsc200x_regmap_config),
+ tsc2005_cmd);
+ }
+--- a/drivers/input/touchscreen/tsc200x-core.c
++++ b/drivers/input/touchscreen/tsc200x-core.c
+@@ -450,7 +450,7 @@ static void tsc200x_close(struct input_d
+ mutex_unlock(&ts->mutex);
+ }
+
+-int tsc200x_probe(struct device *dev, int irq, __u16 bustype,
++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id,
+ struct regmap *regmap,
+ int (*tsc200x_cmd)(struct device *dev, u8 cmd))
+ {
+@@ -547,9 +547,18 @@ int tsc200x_probe(struct device *dev, in
+ snprintf(ts->phys, sizeof(ts->phys),
+ "%s/input-ts", dev_name(dev));
+
+- input_dev->name = "TSC200X touchscreen";
++ if (tsc_id->product == 2004) {
++ input_dev->name = "TSC200X touchscreen";
++ } else {
++ input_dev->name = devm_kasprintf(dev, GFP_KERNEL,
++ "TSC%04d touchscreen",
++ tsc_id->product);
++ if (!input_dev->name)
++ return -ENOMEM;
++ }
++
+ input_dev->phys = ts->phys;
+- input_dev->id.bustype = bustype;
++ input_dev->id = *tsc_id;
+ input_dev->dev.parent = dev;
+ input_dev->evbit[0] = BIT(EV_ABS) | BIT(EV_KEY);
+ input_dev->keybit[BIT_WORD(BTN_TOUCH)] = BIT_MASK(BTN_TOUCH);
+--- a/drivers/input/touchscreen/tsc200x-core.h
++++ b/drivers/input/touchscreen/tsc200x-core.h
+@@ -70,7 +70,7 @@
+ extern const struct regmap_config tsc200x_regmap_config;
+ extern const struct dev_pm_ops tsc200x_pm_ops;
+
+-int tsc200x_probe(struct device *dev, int irq, __u16 bustype,
++int tsc200x_probe(struct device *dev, int irq, const struct input_id *tsc_id,
+ struct regmap *regmap,
+ int (*tsc200x_cmd)(struct device *dev, u8 cmd));
+ int tsc200x_remove(struct device *dev);
--- /dev/null
+From 60842ef8128e7bf58c024814cd0dc14319232b6c Mon Sep 17 00:00:00 2001
+From: Sinclair Yeh <syeh@vmware.com>
+Date: Thu, 23 Jun 2016 17:37:34 -0700
+Subject: Input: vmmouse - remove port reservation
+
+From: Sinclair Yeh <syeh@vmware.com>
+
+commit 60842ef8128e7bf58c024814cd0dc14319232b6c upstream.
+
+The VMWare EFI BIOS will expose port 0x5658 as an ACPI resource. This
+causes the port to be reserved by the APCI module as the system comes up,
+making it unavailable to be reserved again by other drivers, thus
+preserving this VMWare port for special use in a VMWare guest.
+
+This port is designed to be shared among multiple VMWare services, such as
+the VMMOUSE. Because of this, VMMOUSE should not try to reserve this port
+on its own.
+
+The VMWare non-EFI BIOS does not do this to preserve compatibility with
+existing/legacy VMs. It is known that there is small chance a VM may be
+configured such that these ports get reserved by other non-VMWare devices,
+and if this ever happens, the result is undefined.
+
+Signed-off-by: Sinclair Yeh <syeh@vmware.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/vmmouse.c | 22 ++--------------------
+ 1 file changed, 2 insertions(+), 20 deletions(-)
+
+--- a/drivers/input/mouse/vmmouse.c
++++ b/drivers/input/mouse/vmmouse.c
+@@ -355,18 +355,11 @@ int vmmouse_detect(struct psmouse *psmou
+ return -ENXIO;
+ }
+
+- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) {
+- psmouse_dbg(psmouse, "VMMouse port in use.\n");
+- return -EBUSY;
+- }
+-
+ /* Check if the device is present */
+ response = ~VMMOUSE_PROTO_MAGIC;
+ VMMOUSE_CMD(GETVERSION, 0, version, response, dummy1, dummy2);
+- if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU) {
+- release_region(VMMOUSE_PROTO_PORT, 4);
++ if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU)
+ return -ENXIO;
+- }
+
+ if (set_properties) {
+ psmouse->vendor = VMMOUSE_VENDOR;
+@@ -374,8 +367,6 @@ int vmmouse_detect(struct psmouse *psmou
+ psmouse->model = version;
+ }
+
+- release_region(VMMOUSE_PROTO_PORT, 4);
+-
+ return 0;
+ }
+
+@@ -394,7 +385,6 @@ static void vmmouse_disconnect(struct ps
+ psmouse_reset(psmouse);
+ input_unregister_device(priv->abs_dev);
+ kfree(priv);
+- release_region(VMMOUSE_PROTO_PORT, 4);
+ }
+
+ /**
+@@ -438,15 +428,10 @@ int vmmouse_init(struct psmouse *psmouse
+ struct input_dev *rel_dev = psmouse->dev, *abs_dev;
+ int error;
+
+- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) {
+- psmouse_dbg(psmouse, "VMMouse port in use.\n");
+- return -EBUSY;
+- }
+-
+ psmouse_reset(psmouse);
+ error = vmmouse_enable(psmouse);
+ if (error)
+- goto release_region;
++ return error;
+
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ abs_dev = input_allocate_device();
+@@ -502,8 +487,5 @@ init_fail:
+ kfree(priv);
+ psmouse->private = NULL;
+
+-release_region:
+- release_region(VMMOUSE_PROTO_PORT, 4);
+-
+ return error;
+ }
--- /dev/null
+From 9e72ac7492149a229ce9039c680849cb682d7092 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 23 Jun 2016 10:55:11 -0700
+Subject: Input: wacom_w8001 - ignore invalid pen data packets
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 9e72ac7492149a229ce9039c680849cb682d7092 upstream.
+
+ThinkPad X60 Tablet PC (pen only device) sometime posts
+packets that are larger than W8001_PKTLEN_TPCPEN.
+
+Reported-by: Chris J Arges <christopherarges@gmail.com>
+Tested-by: Chris J Arges <christopherarges@gmail.com>
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/wacom_w8001.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/wacom_w8001.c
++++ b/drivers/input/touchscreen/wacom_w8001.c
+@@ -342,6 +342,15 @@ static irqreturn_t w8001_interrupt(struc
+ w8001->idx = 0;
+ parse_multi_touch(w8001);
+ break;
++
++ default:
++ /*
++ * ThinkPad X60 Tablet PC (pen only device) sometimes
++ * sends invalid data packets that are larger than
++ * W8001_PKTLEN_TPCPEN. Let's start over again.
++ */
++ if (!w8001->touch_dev && w8001->idx > W8001_PKTLEN_TPCPEN - 1)
++ w8001->idx = 0;
+ }
+
+ return IRQ_HANDLED;
--- /dev/null
+From 12afb34400eb2b301f06b2aa3535497d14faee59 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 23 Jun 2016 10:54:17 -0700
+Subject: Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream.
+
+Somehow the patch that added two-finger touch support forgot to update
+W8001_MAX_LENGTH from 11 to 13.
+
+Signed-off-by: Ping Cheng <pingc@wacom.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/wacom_w8001.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/wacom_w8001.c
++++ b/drivers/input/touchscreen/wacom_w8001.c
+@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar <jayakumar.lkm
+ MODULE_DESCRIPTION(DRIVER_DESC);
+ MODULE_LICENSE("GPL");
+
+-#define W8001_MAX_LENGTH 11
++#define W8001_MAX_LENGTH 13
+ #define W8001_LEAD_MASK 0x80
+ #define W8001_LEAD_BYTE 0x80
+ #define W8001_TAB_MASK 0x40
--- /dev/null
+From c7f1429389ec1aa25e042bb13451385fbb596f8c Mon Sep 17 00:00:00 2001
+From: Cameron Gutman <aicommander@gmail.com>
+Date: Thu, 23 Jun 2016 10:24:42 -0700
+Subject: Input: xpad - fix oops when attaching an unknown Xbox One gamepad
+
+From: Cameron Gutman <aicommander@gmail.com>
+
+commit c7f1429389ec1aa25e042bb13451385fbb596f8c upstream.
+
+Xbox One controllers have multiple interfaces which all have the
+same class, subclass, and protocol. One of the these interfaces
+has only a single endpoint. When Xpad attempts to bind to this
+interface, it causes an oops when trying initialize the output URB
+by trying to access the second endpoint's descriptor.
+
+This situation was avoided for known Xbox One devices by checking
+the XTYPE constant associated with the VID and PID tuple. However,
+this breaks when new or previously unknown Xbox One controllers
+are attached to the system.
+
+This change addresses the problem by deriving the XTYPE for Xbox
+One controllers based on the interface protocol before checking
+the interface number.
+
+Fixes: 1a48ff81b391 ("Input: xpad - add support for Xbox One controllers")
+Signed-off-by: Cameron Gutman <aicommander@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -1206,16 +1206,6 @@ static int xpad_probe(struct usb_interfa
+ break;
+ }
+
+- if (xpad_device[i].xtype == XTYPE_XBOXONE &&
+- intf->cur_altsetting->desc.bInterfaceNumber != 0) {
+- /*
+- * The Xbox One controller lists three interfaces all with the
+- * same interface class, subclass and protocol. Differentiate by
+- * interface number.
+- */
+- return -ENODEV;
+- }
+-
+ xpad = kzalloc(sizeof(struct usb_xpad), GFP_KERNEL);
+ if (!xpad)
+ return -ENOMEM;
+@@ -1246,6 +1236,8 @@ static int xpad_probe(struct usb_interfa
+ if (intf->cur_altsetting->desc.bInterfaceClass == USB_CLASS_VENDOR_SPEC) {
+ if (intf->cur_altsetting->desc.bInterfaceProtocol == 129)
+ xpad->xtype = XTYPE_XBOX360W;
++ else if (intf->cur_altsetting->desc.bInterfaceProtocol == 208)
++ xpad->xtype = XTYPE_XBOXONE;
+ else
+ xpad->xtype = XTYPE_XBOX360;
+ } else {
+@@ -1260,6 +1252,17 @@ static int xpad_probe(struct usb_interfa
+ xpad->mapping |= MAP_STICKS_TO_NULL;
+ }
+
++ if (xpad->xtype == XTYPE_XBOXONE &&
++ intf->cur_altsetting->desc.bInterfaceNumber != 0) {
++ /*
++ * The Xbox One controller lists three interfaces all with the
++ * same interface class, subclass and protocol. Differentiate by
++ * interface number.
++ */
++ error = -ENODEV;
++ goto err_free_in_urb;
++ }
++
+ error = xpad_init_output(intf, xpad);
+ if (error)
+ goto err_free_in_urb;
--- /dev/null
+From caca925fca4fb30c67be88cacbe908eec6721e43 Mon Sep 17 00:00:00 2001
+From: Cameron Gutman <aicommander@gmail.com>
+Date: Wed, 29 Jun 2016 09:51:35 -0700
+Subject: Input: xpad - validate USB endpoint count during probe
+
+From: Cameron Gutman <aicommander@gmail.com>
+
+commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.
+
+This prevents a malicious USB device from causing an oops.
+
+Signed-off-by: Cameron Gutman <aicommander@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -1200,6 +1200,9 @@ static int xpad_probe(struct usb_interfa
+ int ep_irq_in_idx;
+ int i, error;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
++ return -ENODEV;
++
+ for (i = 0; xpad_device[i].idVendor; i++) {
+ if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
+ (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
--- /dev/null
+From 6343a2120862f7023006c8091ad95c1f16a32077 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 1 Jul 2016 14:56:07 +0200
+Subject: locks: use file_inode()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 6343a2120862f7023006c8091ad95c1f16a32077 upstream.
+
+(Another one for the f_path debacle.)
+
+ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask.
+
+The reason is that generic_add_lease() used filp->f_path.dentry->inode
+while all the others use file_inode(). This makes a difference for files
+opened on overlayfs since the former will point to the overlay inode the
+latter to the underlying inode.
+
+So generic_add_lease() added the lease to the overlay inode and
+generic_delete_lease() removed it from the underlying inode. When the file
+was released the lease remained on the overlay inode's lock list, resulting
+in use after free.
+
+Reported-by: Eryu Guan <eguan@redhat.com>
+Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/locks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -1602,7 +1602,7 @@ generic_add_lease(struct file *filp, lon
+ {
+ struct file_lock *fl, *my_fl = NULL, *lease;
+ struct dentry *dentry = filp->f_path.dentry;
+- struct inode *inode = dentry->d_inode;
++ struct inode *inode = file_inode(filp);
+ struct file_lock_context *ctx;
+ bool is_deleg = (*flp)->fl_flags & FL_DELEG;
+ int error;
--- /dev/null
+From ba562d5e54fd3136bfea0457add3675850247774 Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Wed, 1 Jun 2016 22:21:53 +0300
+Subject: pinctrl: imx: Do not treat a PIN without MUX register as an error
+
+From: Alexander Shiyan <shc_work@mail.ru>
+
+commit ba562d5e54fd3136bfea0457add3675850247774 upstream.
+
+Some PINs do not have a MUX register, it is not an error.
+It is necessary to allow the continuation of the PINs configuration,
+otherwise the whole PIN-group will be configured incorrectly.
+
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/freescale/pinctrl-imx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/freescale/pinctrl-imx.c
++++ b/drivers/pinctrl/freescale/pinctrl-imx.c
+@@ -207,9 +207,9 @@ static int imx_pmx_set(struct pinctrl_de
+ pin_reg = &info->pin_regs[pin_id];
+
+ if (pin_reg->mux_reg == -1) {
+- dev_err(ipctl->dev, "Pin(%s) does not support mux function\n",
++ dev_dbg(ipctl->dev, "Pin(%s) does not support mux function\n",
+ info->pins[pin_id].name);
+- return -EINVAL;
++ continue;
+ }
+
+ if (info->flags & SHARE_MUX_CONF_REG) {
--- /dev/null
+From 0ac3c0a4025f41748a083bdd4970cb3ede802b15 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 31 May 2016 14:17:06 -0700
+Subject: pinctrl: single: Fix missing flush of posted write for a wakeirq
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 upstream.
+
+With many repeated suspend resume cycles, the pin specific wakeirq
+may not always work on omaps. This is because the write to enable the
+pin interrupt may not have reached the device over the interconnect
+before suspend happens.
+
+Let's fix the issue with a flush of posted write with a readback.
+
+Reported-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-single.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1576,6 +1576,9 @@ static inline void pcs_irq_set(struct pc
+ else
+ mask &= ~soc_mask;
+ pcs->write(mask, pcswi->reg);
++
++ /* flush posted write */
++ mask = pcs->read(pcswi->reg);
+ raw_spin_unlock(&pcs->lock);
+ }
+
--- /dev/null
+From 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece Mon Sep 17 00:00:00 2001
+From: Rhyland Klein <rklein@nvidia.com>
+Date: Thu, 9 Jun 2016 17:28:39 -0400
+Subject: power_supply: power_supply_read_temp only if use_cnt > 0
+
+From: Rhyland Klein <rklein@nvidia.com>
+
+commit 5bc28b93a36e3cb3acc2870fb75cb6ffb182fece upstream.
+
+Change power_supply_read_temp() to use power_supply_get_property()
+so that it will check the use_cnt and ensure it is > 0. The use_cnt
+will be incremented at the end of __power_supply_register, so this
+will block to case where get_property can be called before the supply
+is fully registered. This fixes the issue show in the stack below:
+
+[ 1.452598] power_supply_read_temp+0x78/0x80
+[ 1.458680] thermal_zone_get_temp+0x5c/0x11c
+[ 1.464765] thermal_zone_device_update+0x34/0xb4
+[ 1.471195] thermal_zone_device_register+0x87c/0x8cc
+[ 1.477974] __power_supply_register+0x364/0x424
+[ 1.484317] power_supply_register_no_ws+0x10/0x18
+[ 1.490833] bq27xxx_battery_setup+0x10c/0x164
+[ 1.497003] bq27xxx_battery_i2c_probe+0xd0/0x1b0
+[ 1.503435] i2c_device_probe+0x174/0x240
+[ 1.509172] driver_probe_device+0x1fc/0x29c
+[ 1.515167] __driver_attach+0xa4/0xa8
+[ 1.520643] bus_for_each_dev+0x58/0x98
+[ 1.526204] driver_attach+0x20/0x28
+[ 1.531505] bus_add_driver+0x1c8/0x22c
+[ 1.537067] driver_register+0x68/0x108
+[ 1.542630] i2c_register_driver+0x38/0x7c
+[ 1.548457] bq27xxx_battery_i2c_driver_init+0x18/0x20
+[ 1.555321] do_one_initcall+0x38/0x12c
+[ 1.560886] kernel_init_freeable+0x148/0x1ec
+[ 1.566972] kernel_init+0x10/0xfc
+[ 1.572101] ret_from_fork+0x10/0x40
+
+Also make the same change to ps_get_max_charge_cntl_limit() and
+ps_get_cur_chrage_cntl_limit() to be safe. Lastly, change the return
+value of power_supply_get_property() to -EAGAIN from -ENODEV if
+use_cnt <= 0.
+
+Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
+Signed-off-by: Rhyland Klein <rklein@nvidia.com>
+Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/power_supply_core.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/power/power_supply_core.c
++++ b/drivers/power/power_supply_core.c
+@@ -565,11 +565,12 @@ static int power_supply_read_temp(struct
+
+ WARN_ON(tzd == NULL);
+ psy = tzd->devdata;
+- ret = psy->desc->get_property(psy, POWER_SUPPLY_PROP_TEMP, &val);
++ ret = power_supply_get_property(psy, POWER_SUPPLY_PROP_TEMP, &val);
++ if (ret)
++ return ret;
+
+ /* Convert tenths of degree Celsius to milli degree Celsius. */
+- if (!ret)
+- *temp = val.intval * 100;
++ *temp = val.intval * 100;
+
+ return ret;
+ }
+@@ -612,10 +613,12 @@ static int ps_get_max_charge_cntl_limit(
+ int ret;
+
+ psy = tcd->devdata;
+- ret = psy->desc->get_property(psy,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val);
+- if (!ret)
+- *state = val.intval;
++ ret = power_supply_get_property(psy,
++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, &val);
++ if (ret)
++ return ret;
++
++ *state = val.intval;
+
+ return ret;
+ }
+@@ -628,10 +631,12 @@ static int ps_get_cur_chrage_cntl_limit(
+ int ret;
+
+ psy = tcd->devdata;
+- ret = psy->desc->get_property(psy,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val);
+- if (!ret)
+- *state = val.intval;
++ ret = power_supply_get_property(psy,
++ POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, &val);
++ if (ret)
++ return ret;
++
++ *state = val.intval;
+
+ return ret;
+ }
--- /dev/null
+From 749d088b8e7f4b9826ede02b9a043e417fa84aa1 Mon Sep 17 00:00:00 2001
+From: Minfei Huang <mnghuan@gmail.com>
+Date: Fri, 27 May 2016 14:17:10 +0800
+Subject: pvclock: Add CPU barriers to get correct version value
+
+From: Minfei Huang <mnghuan@gmail.com>
+
+commit 749d088b8e7f4b9826ede02b9a043e417fa84aa1 upstream.
+
+Protocol for the "version" fields is: hypervisor raises it (making it
+uneven) before it starts updating the fields and raises it again (making
+it even) when it is done. Thus the guest can make sure the time values
+it got are consistent by checking the version before and after reading
+them.
+
+Add CPU barries after getting version value just like what function
+vread_pvclock does, because all of callees in this function is inline.
+
+Fixes: 502dfeff239e8313bfbe906ca0a1a6827ac8481b
+Signed-off-by: Minfei Huang <mnghuan@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/pvclock.h | 2 ++
+ arch/x86/kernel/pvclock.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+--- a/arch/x86/include/asm/pvclock.h
++++ b/arch/x86/include/asm/pvclock.h
+@@ -76,6 +76,8 @@ unsigned __pvclock_read_cycles(const str
+ u8 ret_flags;
+
+ version = src->version;
++ /* Make the latest version visible */
++ smp_rmb();
+
+ offset = pvclock_get_nsec_offset(src);
+ ret = src->system_time + offset;
+--- a/arch/x86/kernel/pvclock.c
++++ b/arch/x86/kernel/pvclock.c
+@@ -66,6 +66,8 @@ u8 pvclock_read_flags(struct pvclock_vcp
+
+ do {
+ version = __pvclock_read_cycles(src, &ret, &flags);
++ /* Make sure that the version double-check is last. */
++ smp_rmb();
+ } while ((src->version & 1) || version != src->version);
+
+ return flags & valid_flags;
+@@ -80,6 +82,8 @@ cycle_t pvclock_clocksource_read(struct
+
+ do {
+ version = __pvclock_read_cycles(src, &ret, &flags);
++ /* Make sure that the version double-check is last. */
++ smp_rmb();
+ } while ((src->version & 1) || version != src->version);
+
+ if (unlikely((flags & PVCLOCK_GUEST_STOPPED) != 0)) {
--- /dev/null
+From 78c4e172412de5d0456dc00d2b34050aa0b683b5 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 5 Jul 2016 17:32:29 -0400
+Subject: Revert "ecryptfs: forbid opening files without mmap handler"
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 78c4e172412de5d0456dc00d2b34050aa0b683b5 upstream.
+
+This reverts commit 2f36db71009304b3f0b95afacd8eba1f9f046b87.
+
+It fixed a local root exploit but also introduced a dependency on
+the lower file system implementing an mmap operation just to open a file,
+which is a bit of a heavy hammer. The right fix is to have mmap depend
+on the existence of the mmap handler instead.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/kthread.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -25,7 +25,6 @@
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/mount.h>
+-#include <linux/file.h>
+ #include "ecryptfs_kernel.h"
+
+ struct ecryptfs_open_req {
+@@ -148,7 +147,7 @@ int ecryptfs_privileged_open(struct file
+ flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
+ (*lower_file) = dentry_open(&req.path, flags, cred);
+ if (!IS_ERR(*lower_file))
+- goto have_file;
++ goto out;
+ if ((flags & O_ACCMODE) == O_RDONLY) {
+ rc = PTR_ERR((*lower_file));
+ goto out;
+@@ -166,16 +165,8 @@ int ecryptfs_privileged_open(struct file
+ mutex_unlock(&ecryptfs_kthread_ctl.mux);
+ wake_up(&ecryptfs_kthread_ctl.wait);
+ wait_for_completion(&req.done);
+- if (IS_ERR(*lower_file)) {
++ if (IS_ERR(*lower_file))
+ rc = PTR_ERR(*lower_file);
+- goto out;
+- }
+-have_file:
+- if ((*lower_file)->f_op->mmap == NULL) {
+- fput(*lower_file);
+- *lower_file = NULL;
+- rc = -EMEDIUMTYPE;
+- }
+ out:
+ return rc;
+ }
xen-pciback-fix-conf_space-read-write-overlap-check.patch
xenbus-don-t-bug-on-user-mode-induced-condition.patch
xenbus-don-t-bail-early-from-xenbus_dev_request_and_reply.patch
+alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch
+alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch
+input-vmmouse-remove-port-reservation.patch
+input-elantech-add-more-ic-body-types-to-the-list.patch
+input-xpad-fix-oops-when-attaching-an-unknown-xbox-one-gamepad.patch
+input-wacom_w8001-w8001_max_length-should-be-13.patch
+input-wacom_w8001-ignore-invalid-pen-data-packets.patch
+input-xpad-validate-usb-endpoint-count-during-probe.patch
+input-tsc200x-report-proper-input_dev-name.patch
+pvclock-add-cpu-barriers-to-get-correct-version-value.patch
+pinctrl-single-fix-missing-flush-of-posted-write-for-a-wakeirq.patch
+pinctrl-imx-do-not-treat-a-pin-without-mux-register-as-an-error.patch
+cgroup-set-css-id-to-1-during-init.patch
+power_supply-power_supply_read_temp-only-if-use_cnt-0.patch
+locks-use-file_inode.patch
+revert-ecryptfs-forbid-opening-files-without-mmap-handler.patch
+ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
